The Hidden Hand: Understanding Beneficial Ownership in case of Trusts

/1 Comment/in , , /by

Saket Kejriwal, Assistant Manager | corplaw@vinodkothari.com, finserv@vinodkothari.com

Background

The structure of a trust inherently creates a separation of roles, typically involving three distinct parties viz. the author/settlor, trustee, and beneficiaries. While the control/operations rests with the trustee, economic benefit lies with the beneficiaries, and the settlor may continue to exert influence through the trust deed or reserved powers, thus  making it difficult to clearly identify who actually “owns” or “controls” the trust. This intrinsic separation of legal control, economic interest and potential influence renders trusts far more opaque than other conventional structures like companies or partnerships. What makes the structure even more complicated is that trusts are mostly governed by 19th century laws. Trusts are not required to publicly file information about their beneficiaries; in many cases, trustees may even contend that they are not maintaining any such regular list.

Adding to this complexity is the fact that trusts may be structured in different forms. Based on the degree of control with the trustees,  trusts may be discretionary, where the trustee has full discretion to identify the beneficiaries and/or their share, or non-discretionary, where the beneficiaries have identifiable and predetermined rights in the trust property.There are trusts where the determination of beneficiaries is either contingent or future – for example, children and grandchildren of the settlor. In discretionary trusts, beneficiaries may not have a defined share or enforceable claim at any given point, making it unclear whether they can be treated as beneficial owners at all. In non-discretionary trusts, although the beneficiaries are identifiable, the trustee continues to hold legal title, again blurring the line of who truly “owns” the trust.

For Reporting Entities1 (“REs”), including Banks and NBFCs, identification and onboarding becomes more complex when the customer is a non-individual entity. The extent of verification varies by entity type, and trusts in particular create added challenges because of the reasons cited above.

Relevance of Identifying Beneficial Owners (‘BO’)

Before discussing how REs should identify a trust’s BO, it is important to understand why they must do so. Under para 9 and 10 of the RBI KYC Directions, 2016, every regulated entity is required to frame a Customer Acceptance Policy which, at a minimum, mandates that no account-based relationship or transaction may be undertaken unless full Customer Due Diligence (‘CDD’) is completed. The same is based on R.10 of The FATF Recommendations.

As defined under para 3(b) Clause (v) of RBI KYC Directions, 2016, “Customer Due Diligence means identifying and verifying the customer and the beneficial owner using reliable and independent sources of identification”. Further, clause 3 under explanation to the above para extends this requirement to “Determining whether a customer is acting on behalf of a beneficial owner, and identifying the beneficial owner and taking all steps to verify the identity of the beneficial owner, using reliable and independent sources of identification.”.  Similar to what is prescribed under Rule 9(1) of PML Rules, 2005

As part of CDD, REs are required to identify customers and their BOs, which in turn places a corresponding obligation on customers to truthfully disclose their ownership structure and furnish relevant documents that establish the identity of a natural BO. This process obliges REs to verify the authenticity and completeness of the information and documents submitted, use these findings to determine whether to establish the business relationship and to appropriately assign a risk rating.

However, in practice, BOs may be reluctant to provide their KYC documents due to privacy concerns, fear of scrutiny, or because complex structures were intentionally designed to keep the BO’s identity concealed. 

Who are ‘beneficial owners’?

As per para 3(a)(iv) clause (d) of RBI KYC Directions, “Where the customer is a trust, the identification of beneficial owner(s) shall include identification of the author of the trust, the trustee, the beneficiaries with 10 percent or more interest in the trust and any other natural person exercising ultimate effective control over the trust through a chain of control or ownership”. A similar definition is provided under Rule 9(3) of PML Rules, 2005.  

Aforesaid definitions originates from The FATF Recommendations which clearly defines that in context of legal arrangements i.e. Trust, beneficial owner includes: “(i) the settlor(s); (ii) the trustee(s); (iii) the protector(s) (if any); (iv) each beneficiary, or where applicable, the class of beneficiaries and objects of a power; and (v) any other natural person(s) exercising ultimate effective control over the arrangement. In the case of a legal arrangement similar to an express trust, beneficial owner refers to the natural person(s) holding an equivalent position to those referred above.” 

In a discretionary trust, the trustee has full discretion, whereas in a non-discretionary trust, beneficiaries have fixed rights and the trustee has limited discretion. This influences who can practically be identified as exercising control.

Now, in the case of a discretionary trust, the above framework is usually manageable because the trustee, who exercises control, may not object to being identified as a BO. However, in a non-discretionary trust, the trustee does not exercise independent discretion. In such cases, the trustee may express reluctance to be classified as a BO because he does not “benefit” from the trust in an economic sense and may view BO identification as an unwarranted extension of responsibility. This confusion often results from equating BO with someone who derives economic benefit, whereas under AML laws the emphasis is on identifying at least one identifiable individual, ensuring that there is an accountable natural person whom authorities and REs can pursue in the event of ML/TF concerns, regardless of whether they receive monetary benefit.

Difference between BO and Beneficiary

It is important to understand that the terms “beneficiary” and “beneficial owner” serve different purposes. The objective of identifying the BO is not to treat the trustee or settler as recipients of trust benefits, but to ensure that the RE can clearly trace the natural persons involved in controlling, directing, and/or benefiting from the trust arrangement. BO identification is a regulatory requirement aimed at preventing misuse of trusts for ML/TF purposes, not a determination of who is entitled to trust assets. When viewed this way, trustee and settler identification becomes a matter of transparency and risk assessment, not a reclassification of their legal or economic rights under the trust.

Identification of the natural person behind the Trust

REs typically encounter two scenarios that require them to look behind the trust structure, first, when the trust is the direct customer, second, when the trust is recognised as a BO of another entity.

  • Trust itself is the customer

When the trust itself is the customer, the BO identification framework is relatively straightforward. The PML Rules clearly prescribe that the following individuals must always be treated as BOs:

  • the author/settlor,
  • the trustee(s), and
  • any beneficiary holding 10% or more interest, where such interest is defined or quantifiable.

These natural persons fall squarely within the definition of beneficial owners and should be identified and verified without debate.

Where specific beneficiaries cannot be identified, for example, in a public charitable trust, or in a private trust where beneficiaries do not meet the 10% threshold, the obligation to identify BOs does not fall away. In such cases, the RE must still identify:

  • the author/settlor,
  • the trustee(s), and
  • any natural person exercising ultimate effective control, if any, .

Thus, the absence of identifiable beneficiaries does not dilute the requirement. 

  • Indirect Identification (Trust as a BO / Shareholder / Partner of Another Entity)

Complexity increases when the customer is not the trust, but another legal entity, such as a company, LLP, or partnership, in which a trust holds a substantial stake. In such cases, identifying the natural person as BO requires a deeper “look-through” analysis.

The Interpretive Note to Recommendation 10 of The FATF Recommendations provides a structured cascading approach to determine BOs of legal persons. This approach should be applied sequentially2:

Step 1: Identify the natural persons with controlling ownership interest 

Determine whether any natural person ultimately owns or controls the entity through direct or indirect ownership (including ownership via the trust), if yes, identify the person(s) as BO.

Step 2: Identify natural persons exercising control through other means

If no natural person is identifiable through ownership, identify the natural persons exercising control of the entity through other means, such as through one or more juridical persons.

In such cases, the BO definition for trusts should not be imported from the definitions as discussed above i.e. all parties to the trust need not automatically be treated as BOs of the entity concerned.

Instead, the focus should be on identifying the natural person(s), whether trustee or settlor, who genuinely hold or exercise the relevant control over the underlying company, and evaluating them against the test of control.

Step 3: Identify the Senior Managing Official (SMO)

If no natural person can be identified under Step 1 or Step 2, the reporting entity must identify and verify a Senior Managing Official of the customer entity itself.

Intent behind this clause, might be to cater to conditions where the legal person is held by another legal person which is, in turn, held by a trust or where the trust is a charitable trust with no identifiable beneficiaries and no effective control exercised by the trustee, the chain may not yield any natural person with a controlling ownership or control interest. In such situations, the responsibility reverts to the customer entity itself, and the senior managing official (SMO) of the customer is identified as the BO for CDD purposes.

However, even in such cases, the SMO is identified purely for the purposes of AML laws, as discussed above. (see para 31 of the FATF Guidance on Beneficial Ownership of Legal Persons)

Difference between BO and SBO

While the concept of a BO and the concept of a Significant Beneficial Owner (SBO) under the Companies Act both aim to identify the natural persons behind an entity, the two frameworks differ significantly in scope and approach. The SBO definition focuses on identifying individuals who hold a prescribed level of ownership or control, and it does not provide a structured fallback if no individual meets that threshold. 

In contrast, the BO identification under the Rule 9(3) PML Rules follows a cascading approach i.e. REs must first identify natural persons with ownership, then those who exercise control through other means. Further, only when neither approach detects a clear individual do the rules require identifying the senior managing official as the BO of last resort. This ensures that BO identification cannot be left blank, every entity must ultimately map to a natural person for AML purposes, even where no SBO exists, so that transactions are not carried out in benami or opaque structures.

Conclusion

It is important to clarify that being identified as a BO is primarily a regulatory formality for compliance. It does not alter a person’s rights, liabilities, or relationship with the trust or entity. The core objective is simply to ensure that there is a clearly identifiable natural person connected to the legal entity so that the RE can complete its due diligence and satisfy ALM requirements. Following are the limited obligations of being identified as a BO: 

  • Provide basic KYC documents or Official Valid Document (OVDs) for verification of identity;
  • Respond to any follow-up queries during onboarding or monitoring; and 
  • Undergo periodic KYC updates, as requested by the RE.
  1.  As per Section 2(wa) of PMLA Act, 2002 “reporting entity” means a banking company, financial institution, intermediary or a person carrying on a designated business or profession.
    ↩︎
  2.  Refer footnote no. 37 of The FATF Recommendations ↩︎

Supreme Court Mandates Digital Accessibility: Action Points for Banks and NBFCs

/1 Comment/in , , , /by

– Harshita Malik | finserv@vinodkothari.com

Introduction

On April 30, 2025, the Supreme Court of India delivered a landmark judgment in Pragya Prasun & Ors. v. Union of India, declaring digital access as an intrinsic component of the fundamental right to life under Article 21. The Court issued comprehensive directions to make digital KYC processes accessible to persons with disabilities, particularly acid attack survivors and visually impaired individuals.

This judgment fundamentally transforms how banks and NBFCs must approach customer onboarding through digital means, with immediate compliance requirements and potential legal consequences for non-adherence.

Pursuant to the directives issued by the Supreme Court, the RBI has amended the Master Direction – Know Your Customer (KYC) Direction, 2016 (‘KYC Directions’) vide Reserve Bank of India (Know Your Customer (KYC)) (2nd Amendment) Directions, 2025 (‘KYC 2nd Amendment’).

Background: The Catalyst Case

The Petitioners’ Struggle

The petitioners in these cases highlight significant barriers faced by persons with disabilities in accessing digital KYC processes. WP(C) No. 289 of 2024 involved acid attack survivors who were unable to complete digital KYC, while WP(C) No. 49 of 2025 involves a visually impaired individual facing similar difficulties. A notable incident involved Pragya Prasun, who was denied the opening of a bank account  due to her inability to perform the blinking required for liveness verification. These cases are grounded in the protections afforded by the Rights of Persons with Disabilities Act, 2016, and the fundamental right to life and personal liberty under Article 21 of the Constitution.

Current KYC Barriers Identified

The Court recognized that existing digital KYC processes create obstacles for persons with disabilities:

Barrier TypeSpecific IssuesAffected Population
Liveness DetectionMandatory blinking, head movements, reading displayed codesAcid attack survivors, visually impaired
Screen CompatibilityLack of screen reader support, unlabeled form fieldsVisually impaired persons
Visual DependenciesSelfie capture, document alignment, front/back identificationPersons with visual impairments
Signature VerificationNon-acceptance of thumb impressions in digital platformsPersons unable to sign consistently

Legal Framework and Constitutional Mandate

Supreme Court’s Key Declarations

“Digital access is no longer merely a matter of policy discretion but has become a constitutional imperative to secure a life of dignity, autonomy and equal participation in public life.”

– Justice R. Mahadevan

The Supreme Court has firmly declared that digital access is no longer just a policy choice but a constitutional necessity to ensure individuals’ dignity, autonomy, and equal participation in society. This constitutional and legal mandate is grounded in several provisions: Article 21 guarantees the right to life with dignity, requiring digital services to be accessible to everyone; Section 3 of the Rights of Persons with Disabilities (RPwD) Act, 2016, ensures equality and prohibits discrimination against persons with disabilities; Section 40 mandates that all digital platforms adhere to established accessibility standards and Section 46 sets a two-year timeline within which service providers must achieve compliance with these accessibility requirements.

Supreme Court Directives: Banks & NBFCs Action Matrix

The Supreme Court issued twenty directives in the said judgement to ensure that services are not denied based on disability and digital services are accessible to all the citizens irrespective of the impairments. Most of these are for the regulators, while a few are for regulated entities.

Following is the list of actionables arising out of the directives for banks and NBFCs:

  1. Undergo mandatory periodic accessibility audits by certified professional[1], may involve PwD in user testing of apps/websites (SC directive ii);
  2. Procure or design devices or websites / applications / software in compliance of accessibility standards for ICT Products and Services as notified by Bureau of Indian Standards. This mandate applies to a broad spectrum of digital products and services, including :
    1. Websites and web applications;
    2. Mobile apps;
    3. KYC/e-KYC/video-KYC modules;
    4. Digital documents and electronic forms; and
    5. Hardware touchpoints (ATMs, self-service machines). (SC directive xi)
  3. Cannot reject PwD applications without proper human consideration, must record reasons for rejection. Banks and NBFCs may appoint a designated officer who shall be empowered to override automated rejections and approve applications on a case-by-case basis (SC directive xvi and KYC 2nd Amendment to Para 11 of the KYC Directions).
  4. In the process of customer due diligence, REs can accept Aadhaar Face Authentication as valid method for Authentication ( KYC 2nd Amendment to Para 16 of the KYC Directions).
  5. During the V-CIP process, REs cannot rely solely on eye-blinking for liveness verification. They must ensure liveness checks do not exclude persons with special needs. For this purpose, the officials of banks or NBFCs may ask varied questions to establish the liveness of the customer (KYC 2nd Amendment to Para 18(b)(i)).

Changes to the KYC Directions

Changes have been introduced in the KYC Directions via the KYC 2nd Amendment as a result of the SC verdict, these are captured in the diagram:

Implementation Plan

Based on the Supreme Court directive in Pragya Prasun & Ors. vs Union of India and the subsequent RBI notification, here is a comprehensive stage-wise action plan for implementing digital accessibility requirements for banks and NBFCs:

Phase 1: Immediate Compliance and Assessment

Actionables for REs under phase 1 are listed below:

  1. Stage 1.1: Current State Assessment
    1. Inventory all client facing platforms like digital platforms, mobile apps, websites, and KYC systems;
    2. Document current accessibility barriers and non-compliant features and identify high-risk areas requiring immediate attention.
  2. Stage 1.2: Policy Framework Development
    1. Amend the KYC Policy  to incorporate accessibility clauses for PwD;
    2. Update existing KYC Policy to incorporate paper based KYC other than video based KYC (provided such verification methods shall not result in any discomfort to the applicant); and
    3. Make necessary changes to internal documents and SOPs to include disability-inclusive customer service protocols.

Phase 2: Technical Foundation and Alternative Methods

Actionables for REs under phase 2 are listed below:

  1. Stage 2.1: Alternative KYC Methods Implementation
    1. Implement alternative means of liveness detection other than blinking of an eye such as:
      1. Gesture-based verification (beyond eye blinking);
      2. Facial movement detection;
      3. Audio-based liveness checks; or
      4. Any other method feasible to the RE
    2. Provide notices regarding the alternative methods of KYC that the RE supports/provides to PwD
    3. In case of biometric based e-KYC verification, accept thumb impressions or AADHAAR face authentication or any other biometric alternatives.
    4. In case of paper-based KYC, strengthen offline processes as accessible alternatives in such a manner that the same shall not cause any discomfort to the applicant.
    5. Remove mandatory blinking requirements in video KYC.
  2. Stage 2.2: Technical Infrastructure Updates
    1. Ensure that all digital platforms of the RE meet the accessibility standards for ICT Products and Services as notified by Bureau of Indian Standards
    2. Ensure that assistive technology is integrated into the current systems such as screen reader compatibility, voice navigation, etc.
  3. Stage 2.3: Data Capture Enhancements
    1. Modify KYC templates in such a way to add disability fields(type and percentage) to be able to serve better to the applicants
    2. Update database to capture disability-related information (including preferred communication and customer authentication methods) for appropriate service delivery

Phase 3: Process Redesign and Human Support

Actionables for REs under phase 3 are listed below:

  1. Stage 3.1: Human-Assisted Channels
    1. Establish dedicated helpline for PwD offering step-by-step assistance in completing the KYC process through voice or video support;
    2. Conduct staff sensitization and disability awareness programs across all offices/branches
    3. Authorise/allow support from nominated guardians/family members to assist in the KYC process
    4. In case of persons dependent on sign languages, video calling service with certified interpreters shall be provided
  2. Stage 3.2: Grievance Mechanism Setup
    1. May develop dedicated accessibility complaints system for disability-related issues
    2. Ensure manual assessment of rejected KYC applications
    3. Establish clear timelines and accountability for redressal of grievances
  3. Stage 3.3: Alternative Service Delivery
    1. Train BCs/agents for disability-inclusive KYC assistance
    2. Doorstep customer authentication for severely disabled applicants, provided that such facility shall not cause any discomfort to the applicant

Phase 4: Testing and Validation

Actionables for REs under phase 4 are listed below:

  1. Stage 4.1: User Acceptance Testing
    1. May involve PwD in testing phases
    2. Ensure a diverse disability testing- cover visual, hearing, physical, and cognitive impairments
    3. Ensure testing the complete customer journey from onboarding to service access
    4. Document and address all accessibility issues through feedback integration
  2. Stage 4.2: Third-Party Validation
    1. Engage an IAAP certified professional for conducting the accessibility audit
    2. Conduct security assessment of alternative authentication methods

Phase 5: Training and Capacity Building

Actionables for REs under phase 5 are listed below:

  1. Stage 5.1: Staff Development Programs
    1. Create comprehensive training modules for disability awareness and sensitivity, alternative KYC procedures, assistive technology usage, customer service best practices, etc.
    2. Conduct customized programs for different staff categories and ongoing skill development
  2. Stage 5.2: Vendor and Partner Training
    1. Ensure external partners such as BCs, tech-cendors, third-party service providers, etc. understand accessibility requirements

Phase 6 : Continuous Improvement and Compliance

Actionables for REs under phase 6 are listed below:

  1. Define the frequency of the accessibility audit and ensure that the audit is conducted on a regular basis (as per the decided frequency)
  2. Submit compliance status/plan of implementation to RBI as and when required

Closing Remarks

The Supreme Court’s judgment in the Pragya Prasun case elevates digital accessibility from a moral imperative to a constitutional mandate. Banks and NBFCs must view this not as a burden but as an opportunity to transform compliance into competitive advantage by becoming an accessibility leader.

[1] List of Empanelled Web Accessibility Auditors with Department of Empowerment of Persons with Disabilities, Ministry of Social Justice & Empowerment, Govt. of India.

Read More: Resources on KYC

Setu-ing the Standard: NPCI’s New Path to Aadhaar e-KYC

/0 Comments/in , /by

Archisman Bhattacharjee | finserv@vinodkothari.com

Introduction

The National Payments Corporation of India (NPCI), vide its notification NPCI/2024-25/e-KYC/003 dated 10 March 2025, formally introduced the e-KYC Setu facility. As outlined on NPCI’s official platform, e-KYC Setu enables Aadhaar-based e-KYC authentication under the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (Aadhaar Act), without disclosing the individual’s Aadhaar number to the requesting (verification-seeking) entity.

Designed as a one-stop onboarding solution for regulated financial-sector entities, e-KYC Setu leverages Aadhaar-based e-KYC services while ensuring compliance with privacy safeguards under the Aadhaar Act. A key feature and a significant compliance advantage is that regulated entities using e-KYC Setu are not required to obtain a separate notification under Section 11A of the Prevention of Money-laundering Act, 2002 (PMLA). This allows financial sector regulator entities to conduct Aadhaar-based authentication without directly collecting Aadhaar numbers or integrating with UIDAI as a licensed AUA/KUA, thereby reducing both operational complexity and regulatory burden.

In this article, we examine the regulatory implications for RBI-regulated entities, the legal permissibility for non-AUA/KUA entities to conduct authentication through e-KYC Setu, process how e-KYC setu operatives and the operational and business benefits of adopting this framework.

Read more

Understanding Know Your Customer (KYC): Safeguarding Financial Integrity in India

/0 Comments/in , /by

– Sakshi Patil | finserv@vinodkothari.com

KYC compliance is mandatory for opening bank accounts, investing in mutual funds, opening demat accounts, purchasing insurance policies, and availing various other financial services. It ensures not only regulatory compliance but also safeguards the integrity of the financial system by preventing identity fraud, money laundering, and other illicit activities.

Further, India’s banking and financial sector is changing fast. Banks and other financial institutions need to make sure they know who their customers really are and that their money transactions are legal, this is where KYC processes play a pivotal role.

Read more

RBI publishes FAQs on KYC – Question on Modes of Onboarding Raises more Questions

/3 Comments/in , /by

– Subhojit Shome and Sakshi Patil | finserv@vinodkothari.com

Introduction

The Know Your Customer (KYC) Direction, 2016 dated February 25, 2016 are dense, highly technical and operationally intricate. While these directions form the regulatory backbone for customer onboarding and due diligence for financial institutions, they are not always easy to navigate for the very people tasked with implementing them, the on ground compliance officers and operational staff. 

Recognising this operational gap, on June 9, 2025, the RBI published a comprehensive set of FAQs on KYC guidelines, with the intent of simplifying the KYC framework and aimed at clarifying confusion surrounding KYC measures for banks and financial institutions. While the majority of these FAQs successfully provide the much-needed clarity to the financial sector, the response to Question 13, however, has the possibility of inadvertently creating a regulatory arbitrage, by treating the modes of collecting KYC documents in isolation, as full fledged face to face customer onboarding. This article examines the root of this discrepancy, its potential consequences, and why it warrants a re-examination by the regulator.

Face to Face vs. Non-face-to-face Modes of Onboarding

The RBI’s KYC Directions classify onboarding into two modes:

  • Face-to-Face
  • Non Face-to-Face

This classification is significant because the risk perception, control measures, and regulatory compliances differ for each mode, especially with remote onboarding posing higher risks of impersonation, identity fraud, and misuse. Para 40(f) of the directions provides that the customers onboarded in non face to face mode shall be classified as high risk customers and shall be subjected to enhanced due diligence until they have done the face to face identification.

As per the KYC Directions, a ‘Non face to face customer’ means customers who open accounts without visiting the branch/offices of the REs or meeting the officials of REs (refer para 3(b)(x)).  In this regard, e-KYC authentication, undertaking offline verification of proof of possession of Aadhaar Number (submitted by way of aadhaar XML, mAadhar or electronic copy of the PVC card)); obtaining equivalent e-document of OVD can all be done by remote mode. These modes of submitting KYC information do not require the presence of the customer at the branch or an authorised official having to meet the customer in person. Hence, the aforesaid modes of collecting KYC documents are regarded as non face to face onboarding process.

However, a confusion has erupted since these modes have been listed under face-to-face methods of onboarding in the response to Question 13 in the FAQs. The relevant extract is reproduced herein below:

  • Visit to the branch/ office of the RE;
  • using e-KYC authentication (OTP as well as biometric based authentication); undertaking offline verification of proof of possession of Aadhaar Number; obtaining certified copy of the OVD or equivalent e-document thereof; undertaking ‘Digital KYC Process’, as per paragraph 16 of the MD on KYC.
  • Video based Customer Identification Process (V-CIP) complying with prescribed standards and procedures.

While it is understood that physical visit to the bank or digital KYC process requires the physical presence of the customer either at the branch or the authorised official of the RE meeting the customer physically. The KYC documents are collected and verified accordingly during the physical meeting or as a part of the digital KYC process. Similarly, the process of conducting V-CIP, has been specifically recognised as a face to face mode of onboarding, which also requires the KYC document to be submitted by the customer through any one of the modes mentioned above.

V-CIP as face to face mode of onboarding

In case these modes of collecting the KYC documents, in isolation, are considered as face to face modes of onboarding then the utility of performing V-CIP also comes into question. Let us examine why? V-CIP has been granted the same standing as face to face mode of onboarding and REs performing V-CIP are freed from additional compliance burden of performing EDD according to para 40 of the KYC Directions. The V-CIP process requires the REs to maintain costly infrastructure and also bear operating costs to run the process. Now, the V-CIP process has two parts – one, the KYC Directions mandate a rigorous process for capturing and storing the live video of the customer which is used for establishing the existence/ genuineness of the said person and two, obtaining requisite identification information from the Customer as per para 18 (b)(vi). The modes of obtaining customer identification information are –

  • OTP based Aadhaar e-KYC authentication
  • Offline Verification of Aadhaar for identification
  • KYC records downloaded from CKYCR, in accordance with paragraph 56, using the KYC identifier provided by the customer
  • Equivalent e-document of Officially Valid Documents (OVDs) including documents issued through DigiLocker

Hence, if merely performing Aadhar-based e-kyc or offline verification of aadhar or obtaining OVD e-document are considered as face-to-face modes of customer onboarding, REs will have no motivation of performing the full V-CIP. This cannot be the intention of the regulator.

Additionally, RBI in its notification dated June 12, 2025 on Updation/ Periodic Updation of KYC – Revised Instructions has touched upon the distinction between face-to-face, Non face-to-face, and V-CIP onboarding. It has considered only biometric-based e-kyc and digital KYC as face to face onboarding while considering V-CIP on the same footing as face to face onboarding.

As per para 40(f) of KYC Directions, customers onboarded through non face to face mode, are classified as high risk customers. Enhanced due diligence measures are required to be undertaken for such accounts until the customer undergoes face-to-face KYC verification.

Conclusion

The meaning of face-to-face mode of onboarding is implicit in the definition of Non-face-to-face Customer as per para 3(b)(x) of the KYC Directions. Face to face onboarding will mean that  either the customer physically visits the branch of the RE to open their account or or an authorised official of the RE physically meets such customer for such purpose. In either case the existence of the customer is physically verified when it comes to face to face onboarding.

Given the aforesaid understanding of the regulations, in our view, the KYC Directions allow for only the following three modes of face to face onboarding –

  • Physical meeting of the Customer with the officials of the RE (e.g. branch visit), or
  • Conducting Digital KYC as per Annex I where an authorised official of the RE is required to meet the customer physically, or
  • Conducting V-CIP, in compliance with all the infrastructure and operational requirements, has been explicitly recognised to have the same standing as face-to-face onboarding per para 3(b)(xvi).

The different modes of face to face and non-face to face KYC has been visualised in the following infographic :

Resources on KYC

Making KYC Simpler: RBI’s Proposal for Boosting Periodic Updation

/0 Comments/in , /by

– Sakshi Patil | finserv@vinodkothari.com

The Reserve Bank of India (RBI) has continually worked to strengthen the Know Your Customer (KYC) framework to ensure inclusion. Recognizing challenges in periodic KYC updation, especially in remote areas where bank branches and ATMs are scarce, the RBI has proposed pragmatic measures involving Business Correspondents (BCs). These initiatives aim to ease the KYC process for beneficiaries of government schemes and rural banking customers.

Via these regulations the RBI has also proposed additional measures for REs to increase the effectiveness of periodic KYC updation, while reducing hardship on customers; these are also discussed in this article.

BC allowed to perform KYC Periodic Updation

RBI identified a significant backlog in periodic KYC updation, particularly in accounts opened for the credit of Direct Benefit Transfer (DBT), Electronic Benefit Transfer (EBT), scholarship payments, and those under the Pradhan Mantri Jan Dhan Yojana (PMJDY).

To address this, RBI’s proposed framework allows authorized BCs to assist customers with certain types of KYC updation, improving service access for those in underserved locations. However, the ultimate responsibility for KYC updation still remains with the bank. Once the bank receives the updated information from the BC, it must update its records and intimate the customer upon completion. This is mandated under paragraph 38(c) of the RBI’s Master Direction on KYC.

Updated KYC Periodic Updation Process

  • Self-declaration for No Change / Address Change
    • Customers can submit a self-declaration through a BCs if:
      • There’s no change in their KYC details, or
      • Only the address has changed.
  • Collection and Recording of Self-declarations
    • Electronic Mode:
      • Banks are expected to enable their BC systems to record and store self-declarations and supporting documents electronically.
    • Physical Mode (in case electronic facilities are not available):
      • BC will authenticate the customer’s physical self-declaration and documents.
      • These will be forwarded promptly to the concerned bank branch.
      • Acknowledgment receipt shall be issued to the customer.

Transaction Flexibility for Low-Risk Accounts

In line with the KYC directions and Anti-Money Laundering (AML) standards, customers are categorized into low, medium, and high-risk categories. The risk categorization helps to determine the extent of ongoing monitoring, transaction limits, and enhanced due diligence required for each customer category.

The frequency of the periodic updation depends on the risk categorisation of the customer –

High Risk CustomersEvery 2 years
Medium Risk CustomersEvery 8 years
Low Risk CustomersEvery 10 years

RBI vide this guideline proposes that, low risk customers will be allowed time till June 2026 or one year from when their periodic KYC is due, whichever is later to complete the periodic KYC.

For example, if a customer’s KYC was due in September 2025 and it remains pending, the bank can allow the customer to continue the transactions in their accounts upto September 2026. If the due date of the periodic updation was earlier, say May 2025 then the customer could continue to transact until June 2026.

Timely Intimations and Reminders to Customers

Periodic KYC updation is a regulatory requirement under Para 12 of KYC Directions where REs are required to periodically update the customer’s KYC records after on-boarding the customer. REs face several practical challenges in completing periodic KYC updation, such as the customer being unaware about these requirements or reluctance and misconceptions towards sharing personal documents or information.

With respect to this, RBI has proposed that, REs must issue at least three advance KYC due notices (including one by letter) at appropriate intervals, using available communication channels. If the customer still does not complete periodic KYC, three additional reminders must be sent.

All communications should contain easy to understand instructions for updating KYC, escalation mechanism for seeking help, if required, and the consequences, if any, of failure to update their KYC in time. REs are also required to maintain detailed records of these notifications and reminders.

Conclusion

By enabling simplified and decentralized KYC updation, these measures address both operational challenges and the broader goals of financial inclusion.

As the financial ecosystem evolves, such regulatory measures remain crucial for building a secure, inclusive, and customer-friendly financial environment.

Online Authentication of Aadhaar: Exclusive Club, Members Only!

/0 Comments/in , , /by

-Archisman Bhattacharjee (finserv@vinodkothari.com)

Introduction

The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits, and Services) Act, 2016 (‘Aadhaar Act’) was introduced with a clear vision: to ensure efficient, transparent, and targeted delivery of subsidies, benefits, and services, fostering good governance. While its preamble underscores these fundamental objectives, Aadhaar’s role has expanded far beyond its original scope, becoming a cornerstone in the banking and NBFC sectors. As outlined in paragraph 16 of the RBI’s KYC Master Directions, Aadhaar now plays a central role in the Know Your Customer (KYC) process, a critical compliance measure for both prospective and existing borrowers.

A key aspect of KYC is the verification of the authenticity of customer documents, a process governed by specific guidelines. 

When it comes to Aadhaar-based KYC, there are two recognized methods: 

  1. Online Authentication and 
  2. Offline Verification 

The Offline Verification process is relatively straightforward (at least on paper), involving the verification of a Digital Signature Certificate (DSC) attached to the downloaded masked Aadhaar document. Importantly, offline verification can be conducted by all RBI-regulated entities for conducting KYC verification.

In contrast, Online Authentication, while offering a more robust and reliable method of KYC verification (refer FAQ 1 of UDIAI), is subject to stricter eligibility conditions and compliance requirements. Not all entities are permitted to perform Online Authentication (discussed in later parts of this article). While lenders may prefer Online Authentication due to its real-time verification capabilities and greater assurance of data authenticity, the regulatory fetters surrounding eligibility must be carefully navigated.

Given the evolving regulatory framework and industry practices, it is critical to develop a clear understanding of how Online Authentication operates and who is permitted to undertake it.

What is Online Authentication

The term authentication has been defined under Section 2(c) of the Aadhaar Act as a process “by which the Aadhaar number along with demographic information or biometric information of an individual is submitted to the Central Identities Data Repository for its verification and such Repository verifies the correctness, or the lack thereof, on the basis of information available with it”. Further The Aadhaar (Authentication and Offline Verification) Regulations, 2021 (‘Aadhaar Rules’) expands upon the process of carrying out online authentication. Rule 4 of the Aadhaar Rules states that:

Authentication may be carried out through the following modes:

(a) Demographic authentication: The Aadhaar number and demographic information of the Aadhaar number holder obtained from the Aadhaar number holder is matched with the demographic information of the Aadhaar number holder in the CIDR.

(b) One-time pin based authentication: A One Time Pin (OTP), with limited time validity, is sent to the mobile number and/ or e-mail address of the Aadhaar number holder registered with the Authority, or generated by other appropriate means. The Aadhaar number holder shall provide this OTP along with his Aadhaar number during authentication and the same shall be matched with the OTP generated by the Authority.

(c) Biometric-based authentication: The Aadhaar number and biometric information submitted by an Aadhaar number holder are matched with the biometric information of the said Aadhaar number holder stored in the CIDR. This may be fingerprints-based or iris-based authentication or other biometric modalities based on biometric information stored in the CIDR.

(d) Multi-factor authentication: A combination of two or more of the above modes may be used for authentication.

The stated modes of how the process of online authentication is required to be carried out is quite descriptive and does not require any further explanation. However one thing is certain that, based on  the definition of the term “authentication”, obtaining the Aadhaar number becomes a mandate. The KYC Master Directions under para 17 recognizes one such mode of authentication as OTP based online authentication.  

Who can carry out Online Authentication

Considering that the authentication process and the e-KYC data obtained through Aadhaar may include biometric information, such information constitutes “sensitive personal data” under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules). While the Digital Personal Data Protection Act, 2023 (DPDPA) does not expressly categorize any particular type of data as “sensitive personal data,” it is important to note that the Supreme Court’s judgment in the Aadhaar judgement recognized biometric data associated with Aadhaar as sensitive in nature. Given that the DPDPA itself has its origins in the principles laid down by the Aadhaar judgment, it is our view that such data should continue to be treated with a higher standard of care.

Without delving into the subject in great detail, it is sufficient to highlight that Aadhaar-based authentication exposes individuals to considerable risks of harm, particularly in the event of a data breach. This risk is exacerbated by the fact that other identifiers such as telephone numbers, PAN cards, and other financial data are often linked to an individual’s Aadhaar number. Consequently, possessing access to an individual’s full Aadhaar number may subject such an entity to considerable risk (including legal and litigation risk) in case proper security safeguards are not taken by such an organization. Usually these heightened data sensitivity concerns would not be present in case KYC verification is conducted through use of masked Aadhaar, i.e via Offline Verification.

Given the heightened sensitivity of Aadhaar information, it is imperative that, beyond compliance with technical security safeguards, the right to carry out Aadhaar authentication be restricted only to entities that have demonstrated robust security frameworks. Imbibing this philosophy, the Aadhaar Act has restricted access to Aadhaar number only to a few entities and these entities are known as “requesting entities” as defined under Section 2(u) of the Aadhar Act. From the context of Financial Sector Entities these requesting entities would be required to be a KUA/Sub-KUA (discussed in later parts of this article). 

Online authentication and KYC

Under paragraph 16(a)(ii) of the KYC Master Directions, an Aadhaar number can only be collected by entities that have been notified under Section 11A of the Prevention of Money-laundering Act, 2002 (PML Act). Further, Section 4(4)(b) of the Aadhaar Act stipulates that “authentication” can only be performed by an entity that is:

  1. either permitted to offer authentication services under any other law made by Parliament, or
  2. is seeking authentication for purposes as may be prescribed by the Central Government in consultation with the UIDAI, and in the interest of the State. 

Accordingly, a combined reading of Section 11A of the PML Act and the Aadhaar Act makes it evident that for RBI regulated entities [Except for banks, which are permitted to obtain Aadhaar numbers under paragraph 16(a)(i) of the KYC Master Directions and the proviso to Section 11A of the PMLA Act, no other entities may carry out Aadhaar authentication without being specifically notified by the Central Government.] only those entities which have been notified by the Central Government are authorized to carry out Aadhaar-based authentication by collecting Aadhaar numbers.

Under para 17 of the KYC Master Directions , OTP-based e-KYC authentication has been recognized as a valid mode of Aadhaar authentication. This form of authentication is also recognized under the Aadhaar (Authentication and Offline Verification) Regulations, 2021 (“Aadhaar Regulations”), wherein such authentication can be carried out by either a KUA (KYC User Agency) or an AUA (Authentication User Agency).

The Aadhaar Regulations further introduce the concept of a “Sub-KUA”, which is defined under Rule 2(ob) of Aadhaar rules as a requesting entity that utilizes the infrastructure of a licensed KUA to perform online Aadhaar authentication. Under Rule 16, it is stipulated that an e-KYC record obtained by a KUA can only be shared with its Sub-KUAs and cannot be transferred further to any other entity. Additionally, Rule 14(ga) of the Aadhaar Regulations mandates that a KUA must obtain prior approval from UIDAI before onboarding any third-party entity as a Sub-KUA.

Reference is also drawn to UIDAI Circular 2 of 2025 which discusses Sub-AUA and Sub-KUA application form and joint undertaking. The said documents specify that under the head “Category of Sub-KUA and Sub-AUA“, eligible entities include those “permitted to offer authentication services under Section 11A of the Prevention of Money-laundering Act, 2002 by virtue of being a reporting entity.”. A similar requirement has also been provided under the AUA/KUA Application Form.

In view of the above, it becomes clear that for any RBI-regulated entity (i.e., entities to whom the KYC Master Directions apply) wishing to onboard customers through OTP-based Aadhaar e-authentication, the following conditions must be satisfied:

  1. the entity must be registered either as a KUA or as a Sub-KUA with UIDAI; 
  2. the entity must be notified by the Central Government under Section 11A of the PML Act, thereby being authorized to collect Aadhaar numbers and conduct authentication.

However, it may be noted that in practice, the recognition processes under Section 11A of the PML Act and by UIDAI typically go hand in hand. For entities seeking notification under Section 11A of the PML Act, prior recognition by UIDAI, confirming the entity’s capability to carry out Aadhaar authentication is generally a prerequisite. This position is supported by Circular No. F.No.P-12011/7/2019-ES Cell-DOR issued by the Government of India, Ministry of Finance, Department of Revenue.

Conclusion

In today’s dynamic financial landscape, Aadhaar-based KYC—whether through online authentication or offline verification has become an indispensable tool for streamlining customer onboarding and ensuring regulatory compliance. However, the regulatory framework surrounding Aadhaar authentication remains stringent for good reason: it seeks to strike a delicate balance between enabling ease of business and safeguarding the sensitive personal information of individuals.

While offline verification using masked Aadhaar offers a universally accessible and relatively lower-risk method for KYC compliance by RBI-regulated entities, online authentication—though more robust and efficient—comes with heightened obligations. Only entities meeting the twin conditions of being recognized under Section 11A of the PML Act and being duly registered as a KUA or Sub-KUA with UIDAI are permitted to undertake online Aadhaar authentication. This dual-layered recognition ensures that only entities with demonstrably strong security practices are entrusted with the collection, storage, and processing of Aadhaar-related sensitive data.

As technology evolves and customer expectations shift toward faster, seamless digital experiences, regulated entities must not only prioritize compliance but also cultivate a strong internal culture of data protection and risk mitigation. Institutions seeking to leverage Aadhaar-based online authentication must therefore invest in robust data security frameworks, maintain strict internal governance standards, and ensure that their authentication practices align with both the letter and spirit of the law.

Union Budget 2025: Key Highlights and Reforms focusing on Financial Sector Entities

/0 Comments/in , , , , , , , , , , , , , /by
Loader Loading…
EAD Logo Taking too long?

Reload Reload document
| Open Open in new tab

Download as PDF [334.04 KB]

Resources on KYC

/0 Comments/in , /by

Know Your Customer (KYC) is the gateway to trust in today’s fast-paced financial world. It’s not just a regulatory requirement—it’s a shield against fraud, money laundering, and illicit activities that could compromise the integrity of businesses and the broader economy. By ensuring organizations truly understand the identities of their customers, KYC fosters a safer financial landscape where transparency reigns. With cutting-edge technology and rigorous verification processes, KYC helps businesses protect their reputation while building lasting, authentic relationships with clients. In a world where security and trust are paramount, KYC is the key to unlocking both.

Vinod Kothari and Company has been in constant endeavor to analyses and provide guidance on the matters arising therefrom.

Date of
Publication 		TitleAuthor/ SpeakerLink
August 18, 2025Supreme Court Mandates Digital Accessibility: Action Points for Banks and NBFCsHarshita Malikhttps://vinodkothari.com/2025/08/supreme-court-mandates-digital-accessibility-action-points-for-banks-and-nbfcs/
August 14, 2025Setu-ing the Standard: NPCI’s New Path to Aadhaar e-KYCArchisman Bhattacharjeehttps://vinodkothari.com/2025/08/setu-ing-the-standard-npcis-new-path-to-aadhaar-e-kyc/
August 2, 2024Amendments in Prevention of Money-laundering (Maintenance of Records) Rules, 2005Garima Chughhttps://vinodkothari.com/2024/08/amendment-in-pmla-rules-w-r-t-kyc-details/
May 5, 2023Amendments to KYC Directions including non- face-to-face KYCVinod Kothari and Anita Baidhttps://vinodkothari.com/2023/05/amendments-to-kyc-directions-including-non-face-to-face-kyc/
May 5, 2023Practicing professionals as reporting entities under PMLATeam Finservhttps://vinodkothari.com/2023/05/practicing-professionals-as-reporting-entities-under-pmla/
May 1, 2023Amended KYC norms: A move towards faceless KYCAnita Baidhttps://vinodkothari.com/2023/05/amended-kyc-norms-a-move-towards-faceless-kyc/
February 1, 2023Simplifying the KYC process and business identifierAnita Baidhttps://vinodkothari.com/2023/02/simplifying-the-kyc-process-and-business-identifier/
March 7, 2022Aadhaar based KYC- Acceptance and verification proceduresTeam Finservhttps://vinodkothari.com/2022/03/aadhaar-based-kyc-acceptance-and-verification-procedures/
September 15, 2021NBFCs licensed for KYC authentication: Guide to the new RBI privilege for Aadhaar e-KYC AuthenticationKanakprabha Jethanihttps://vinodkothari.com/2021/09/nbfcs-licensed-for-kyc-authentication/
July 13, 2021Presentation on Basics of KYCKanakprabha Jethanihttps://vinodkothari.com/2021/07/presentation-on-basics-of-kyc/
May 7, 2021Rationalisation of KYC- Measures for relief or technical advancement?Kanakprabha Jethanihttps://vinodkothari.com/2021/05/rationalisation-of-kyc/
December 22, 2020CKYCR becomes fully operational: The long-awaited format for legal entities’ information finally introduced
Kanakprabha Jethani		https://vinodkothari.com/2020/12/ckycr-becomes-fully-operational/
February 12, 2020
(Updated as on January 19, 2022)		An all-embracing guide to identity verification through CKYCRKanakprabha Jethanihttps://vinodkothari.com/2020/02/guide-to-identity-verification-through-ckycr/
January 10, 2020KYC goes live!Anita Baidhttps://vinodkothari.com/2020/01/kyc-goes-live-rbi-promotes-seamless-real-time-secured-audiovisual-interaction-with-customers/
August 22, 2019Introduction of Digital KYCAnita Baidhttps://vinodkothari.com/2019/08/introduction-of-digital-kyc/
May 30, 2019RBI amends the KYC Master DirectionsAnita Baidhttps://vinodkothari.com/2019/05/rbi-amends-the-kyc-master-directions/
March 16, 2019Revised Guidelines on KYC & Anti-Money Laundering Measures for HFCsTeam Finservhttps://vinodkothari.com/2019/03/revised-guidelines-on-kyc-anti-money-laundering-measures-for-hfcs/
August 4, 2018Checkpoints for filing e-form DIR 3 KYCSimran Jalan https://vinodkothari.com/2018/08/checkpoints-for-filing-e-form-dir-3-kyc/
July 18, 2018Form DIR 3-KYC goes live; own phone no, email, DSC become mandatoryTeam Finservhttps://vinodkothari.com/2018/07/form-dir-3-kyc-goes-live/
July 13, 2018New KYC norms for directors make a cell-phone, email & DSC mandatory for directorsVinod Kotharihttps://vinodkothari.com/2018/07/new-kyc-norms-for-directors/
April 28, 2018Analysis of amendments to KYC Master Directions, 2016Team Finservhttps://vinodkothari.com/2018/04/analysis-of-amendments-to-kyc-master-directions-2016/
September 3, 2016CKYC Registry: Uploading of KYC dataAnita Baidhttps://vinodkothari.com/2016/09/ckyc-registry-uploading-of-kyc-data/
July 9, 2016Central KYC Registry to start test run. A major leap for digitizing IndiaAmeet Royhttps://vinodkothari.com/2016/07/central-kyc-registry-to-start-test-run-a-major-leap-for-digitizing-india/
May 19, 2016RBI’s KYC Directions: Additional compliances to be mindful ofNikita Snehilhttps://vinodkothari.com/2016/05/rbis-kyc-directions-additional-compliances-to-be-mindful-of/
October 10, 2012Proposed Centralized KYC RegistryPooja Rawalhttps://vinodkothari.com/2012/10/proposed-centralized-kyc-registry/

Amendments in Prevention of Money-laundering (Maintenance of Records) Rules, 2005

/0 Comments/in , /by

REs to update KYC details of clients

Garima Chugh, Executive | finserv@vinodkothari.com

Loader Loading…
EAD Logo Taking too long?

Reload Reload document
| Open Open in new tab

Download as PDF [82.00 KB]

Read our relevant resources below